logs include:
Your precise GPS locations (which are also sent to their servers). Your WiFi network name. The IDs of nearby cell towers (even with no SIM card inserted, also sent to their servers). Your internet-facing IP address. The user token used by the device to authenticate with Rabbit's back-end API. Base64-encoded MP3s of everything the Rabbit has ever spoken to you (and the text transcript thereof).
Nasty :0
Nobody would collect all this by accident, especially when considering the purpose of the product…
Certainly not by accident. It takes intentional effort to collect any data, let alone data like this where you have to really scrape. This is in my opinion exactly what the tech industry is all about these days. I generally favor a light touch with regulation, but the US desperately needs some privacy laws because this industry is absolutely out of control
I'd generally say that disclosure should be enough (and is currently insufficient in the US outside of California), but I am weary that much of your life now involves "Pay us with Venmo" or "Customer service via Twitter," such that one cannot really opt-out without paying a significant cost.
Problem is if our congress were to make laws they would make tough on terrorist laws to compel collection and storage of data for the good guys to get the bad guys easier.
We all seem to forget that the patriot act passed 99 to 1. Whereupon…
We promptly got rid of the 1.
We have bad leaders. Look at our Presidential candidates. We won’t get better outcomes until that condition changes.
Those are local log files on the device. The post says the subset of information sent to the server is smaller.
Uploading location data with requests is a feature of the device. It's supposed to take your location into account so you can ask it questions like "What's the weather forecast?"
The article is sparse on when the information is sent to the servers. If location data is being sent with requests, that's hardly a surprise.
No. The whole product is an abstraction to different software interfaces. If it sends data, it should sent it to the weather API, not to Rabbit servers nor even log it, because the information is relevant only at that moment.
Even if they route all traffic through their backend, their should log only errors. There is really no reason to store the location history on OS level.
That's not how the device works. The weather and location data are both context inputs to an LLM. The LLM produces the response and sends it to the device. The LLM runs on the server, not the device.
You can't have the device connect to a separate weather API unless you send keys to the device, which would require per-user access credentials (good luck finding a 3rd party provider happy to do that). It would also increase the number of round trips, which increases response delay, which is one of the primary complaints about the device.
Most likely they were collecting it all to make debugging easier.
Is this sent to the server all the time? Or just with requests? It shouldn't come as a surprise to anyone that a device designed to respond to questions like "What's a good restaurant near me?" is also sending location context with requests.
If they're sending a constant stream of location all the time for no reason, that would be concerning.
A device must store WiFi network names to reconnect to them. An IP address showing up in local logs isn't really surprising either.
Storing the user access token on the device is also a necessity for reconnecting without logging back in every time you turn it on. The fact that it's stored directly in logs isn't a good practice, but when those logs are stored on the same storage as the db or config file that contains them, it's also not really a new issue by itself. If they were uploading logs directly to their servers, that would be an issue of course.
Regarding storage of WiFi names:
That’s a weak excuse IMO. Firstly, the WiFi logic is probably entirely handled by Android, so the app doesn’t have to do anything with that. And that also doesn’t explain the WiFi names in logs. Or are they parsing their own logs to determine which WiFi to connect to? If it’s some structured data or a database, I would get it, but they surely aren’t logging something to reconnect to the mentioned WiFi names later.
The app handles the process of connecting to a WiFi network.
It doesn't have a standard Android interface. The only interface is through the Rabbit app, so by definition the app must also handle WiFi at some point.
The already released an update to reduce logging before this blog was posted.
I'm not defending their initial over-logging as a good security choice, but I do think it's being greatly exaggerated in this comment section. If you could access the device's storage, you could access the WiFi network name, period. The fact that it's in the logs, not just the config files/db, doesn't raise the severity of any vulnerabilities.
They do have reasonable grounds to say they need to send location data to their servers (although there is no setting to turn off geolocation), but there was no excuse for the local logging.
(And yes, it is sent periodically regardless of what you're doing, not as part of specific queries)